How to Pass Cyber Essentials – Part 1
We see a lot of Cyber Essentials applications through the year and over time it has become clear that some businesses are, quite understandably, not really understanding the questions. This series blog post will be in a number of parts. In each post I will focus on one section of the standard and give you both the “assessors” view on the question and the “pentesters” view. With these combined, you should be able to answer the questions easily and put in place changes in your IT systems to pass the standard.
Once all of the series is completed, we will create a PDF of the guide, along with a little discount code for your assessment. So, on with section 1.
Remote Vulnerability Scan
This section MUST be completed. We received a number of returned questionnaires with nothing entered. Unless your organisation has no internet connection and you do not use email or have a website, then this will result in an automatic fail. So what needs to go in this section?
Your office IP address
This might sound a little obvious, but it is very often missed. The easiest way to get your office IP address is to browse to https://www.whatsmyip.org/. The heading will say “Your IP Address is” and following this will be a series of numbers. This is you IP address. So that goes into the first column. You skip the second column. The third column enter “Our Office IP”. In the fourth column enter “Internally Hosted – In Scope” and leave the last column blank.
The table should look a little like this:
|IP Address||Fully Qualified Domain Name||Name & Description||System Ownership||If out of scope, explain|
|184.108.40.206||Our Office IP||Internally hosted – in scope|
|www.hsec.li||Our website||Internally hosted – in scope|
What are looking for in the Vulnerability Scan?
The vulnerability scan should be very easy to pass yet many companies that end up failing this first time around. So what is it we are looking for? In short, no Critical or High risk vulnerabilities. But lets look at the top vulnerabilities raised over our last 100 assessments:
This is the number one reason for failing. If you have not configured your SSL services to only use TLSv1.1 and higher with a strong cipher suite then you will FAIL! We posted a remediation guide to this and it is the single most visited page on our website. You can find the guide to fixing SSL here.
Patch Your Systems
This is the second most common reason for failing. You would be astounded how many companies fail because they do not patch their systems. If you do not patch your externally facing systems, then you are highly likely to have a Critical or High-risk vulnerability present.
Replace those Out of Support Systems
The third most common reason for failing. Still using Windows 2003 or Windows XP systems. Even 2008 is pretty much out of support now. But the problem is not just confined to Windows. We see a lot of old out of date Linux systems in use. You need to retire these and replace them with modern alternatives.
Cloud / Shared Services Assessment
This part of the assessment is really only looking at your cloud-delivered applications such as Office365, Gmail suite, Salesforce, etc. You should list all SAAS (Software as a service) products that you use within the business.
Description of the service
This is usually the name of the service which you use. For example:
Microsoft Office 365
This is simply the name of the supplier.
Independent audit standards to which the suppliers have been previously assessed.
This can take some digging but it is usually on the supplier’s website somewhere. In some cases you may need to ask the supplier directly. Common answers include:
Evidence of certification provided to the certifying body
This is the most import column for us as the assessor. You need to provide links to, or attach to your return, evidence that the supplier has completed any independent audits.
Peter has been in the Information Security world since 1999 and in IT in general since 1996. His work history contains a unique blended balance between the development of exceptional technical capabilities and business knowledge. Peter is a proud father of twins and enjoys GT endurance racing on the weekends.
Last week saw SB Tech Breached by the hacking group Maze. It seems that every week the group are announcing more victims. GameOn asked our CEO Peter Bassill, to give us some insight into the attack. The GameOn article is here.
In our “How to securely” series we asked our followers what tools they would like a simple guide on to help them stay secure online. There seemed to be a lot of confusion as to what a VPN is and why you should or should not use one. So we asked Peter to help.
WhatsApp is among the fastest-growing instant messengers out there, and almost a social network in its own way. But if you are using it, there are some steps you should take to protect your security and privacy.
The UK’s highest court ruled that Morrisons can not be liable for a criminal act of a person seeking to harm their business. On April 1st, 2020, a panel of five justices unanimously ruled that Morrisons was not “vicariously liable”.
With the current pandemic situation, we all need to be taking remote working considerations. While adjusting the work paradym, it is vital to keep a mind’s eye on the security and safety of the businesses information assets
In this guide we are looking at how to go about securing zoom. Since the onset of the global pandemic, we have seen surge in “zoom bombing”. This is where people with malicious intent look for in-progress zoom meetings to join and cause trouble.
On March 27th, Hiscox Insurance Company Inc. filed a complaint against law firm Warden Grier for concealing a data breach that occurred back in 2016.
Chubb Cyber Ransomware Attack? Really? Well yes. It seem that, according the operations of Maze Ransomware, there really was a Chubb Cyber Ransomware Attack.
In a surprising announcement Fortune 500 technology giant General Electric (GE), an organisation that should have this all sown up, disclosed that personally identifiable information of current and former employees, as well as beneficiaries, was exposed in a security incident experienced by one of GE’s service providers. Shock, Horror, Information Security in the supply chain yet again.
NutriBullet has become the latest Magecart victim with skimmer code planted within their domain in order to steal customer financial data. RiskIQ published their research on Wednesday of this week, and it make very good reading.